Secure Computation ORAM The Case of 3-Party Computation Stanislaw - - PowerPoint PPT Presentation

Secure Computation ORAM

The Case of 3-Party Computation

AC’15: Sky Faber, S.J., Sotirios Kentros, Boyang Wei New Work: S.J., Boyang Wei Stanislaw Jarecki, UC Irvine

Cryptography in the RAM Model Workshop, Cambridge, MA, June 2016

Secure Computation of (O)RAM Access (SC-ORAM)

FORAM

s1 s2 ..... sn ⟷ D[x]

ss ss

D1 D2 Dn x1 x2 ..... xn ⟷ x

( for <write>: additional shared input v and D ⟶ D’ s.t. D’[x]=v )

SC-ORAM = Sec.Comp of FORAM: sharing of D,x ⟶ sharing of D[x]

Secure Computation of (O)RAM Access (SC-ORAM)

FORAM

x1 x2 ..... xn ⟵ x s1 s2 ..... sn ⟶ s = D[x]

ss ss

Application: n-Server Private Database ( n-Server SPIR) Client

SC-ORAM = Sec.Comp of FORAM: sharing of D,x ⟶ sharing of D[x]

D1 D2 Dn

Secure Computation of (O)RAM Access (SC-ORAM)

P1 P2 ..... Pn

FORAM FRAM-PROGRAM

D2

var stack

x,y,z,...

Instr 1,2,... each instruction computed by standard MPC (Yao, BGW, ...)

read(x) or write(x,v) v=D(x)

,v Application: Sec. Comp. of RAM Program [OS’97,DMN’11,GKKKMRV’12]

• Sec. Comp. of RAM programs with polylog(|D|) overhead

SC-ORAM = Sec.Comp of FORAM: sharing of D,x ⟶ sharing of D[x]

secret- shared values

Generic SC-ORAM Construction [OS’97,GKKKMRV’12]

ORAM Scheme + Secure Comp. of Client’s Code ⟶ SC-ORAM ORAM: SC-ORAM:

Client2 Server MK2 , x2 EncMK(D; r) v2 Client1 MK1 , x1 v1

[2PC]

D[x]=v1⨁v2 P1 P2

ORAM Scheme + Secure Comp. of Client’s Code Client2 Server MK2 , x2 EncMK(D; r) v2 Client1 MK1 , x1 v1

[2PC]

P1 P2 D[x] = v1 ⨁ v2

For efficient MPC of RAM programs we need ORAM whose Client is “Secure-Computation Friendly”

Generic SC-ORAM Construction [OS’97,GKKKMRV’12]

[GKKKMRV’12a]: GO’96 ORAM + Yao + PK-based SS-OPRF gadget [GKKKMRV’12b]: Path-ORAM [Shi+’11] + Yao [WHCSS’14]: Path-ORAM modified + Yao ⇒ smaller circuits

Our Question:

Could SC-ORAM be faster given 3 players with honest majority?

3 Parties = 2 Parties with correlated randomness Example: Oblivious Transfer with Precomputation [Bea’95]

P3 z0 , z1 z0 , z1 : random strings c

: random bit

zc , c m0 ⨁ zπ , m1 ⨁ zπ π = b ⨁ c m0 , m1 P1 P2 bit b

2 Parties: OT needs PK crypto ops [IR’89] 3 Parties: OT costs 4 xor’s

SC for Path-ORAM [Shi+’11]

Path-ORAM Access: Recursive Tree+Array Lookup

Split address space of m bits, h chunks of τ=m/h bits N = [N1 | N2 | ... |Nh] Ti is a binary tree of depth di=i·τ, tree nodes are buckets of size w ORAM = (T0,T1,T2,...,Th) N1 L1

Server Client

retrieve & decrypt T1 T0 L1

di·w

...

N1 L2 N2 T2 L2

...

N1|N2 L3 N3 and so on... ... Th

SC for Path-ORAM [Shi+’11]

Path-ORAM Access: Recursive Tree+Array Lookup

N1 L1

Server Client

T1 T0 L1

di·w

...

N1 L2 N2 T2 L2

...

N1|N2 L3 N3 and so on... ... Th Split address space of m bits, h chunks of τ=m/h bits N = [N1 | N2 | ... |Nh] Ti is a binary tree of depth di=i·τ, tree nodes are buckets of size w ORAM = (T0,T1,T2,...,Th) set w =O(𝑛) [or O( 𝑛)]

Client’s code is a sequence of array or dictionary list look-ups...

SC for Path-ORAM [Shi+’11]

The other half: Path-ORAM Eviction

N1 L1

Server Client

T1 T0 2τ L1

w

...

N1 L2 N2 T2 L2

...

N1|N2 L3 N3 and so on... ... Th

Eviction: 1) put the (modified) retrieved entry on top 2) move all* entries down towards their targets labels SC-ORAM: To reduce circuit size, use constrained eviction strategy

SC for Tree-ORAM

Three Steps

Access: Retrieve data assoc. with searched-for address N (CA) SS[ X , N ]  d s.t. (N,d)  X Eviction.1: Compute movement logic, T : [n]  [n] (CT) SS[ X|N ]  SS[ T ] Eviction.2: Permute path X according to T (CM) SS[ X , T ]  SS[ T(X) ] s.t. T(X) = XT(1),…,XT(n)

X = (X1,…,Xn) : tree path k: sec.par.

2PC-ORAM costs: online, passive adv (last tree, w/o small constants)

bndw: |X|k comp: |CA|+|CT|+|CM| ciphers (+ k OT’s)

Client’s code is a sequence of array look-ups... 3PC idea: ⦁ secret-share all data (Ti’s and N) between P1 & P2

• send matching entry to P3 via Conditional SS-OT

3PC for Tree-ORAM

Access Step: SS[ X , N ]  d s.t. (N,d)  X P1 P2 P3 Ni

1 di 1

... ... ... ... Ni

2 di 2

... ... ... ... N1*, N*, N2*, di

1 ⨁ di 2

for i s.t. Ni

1⨁N1 * = Ni 2⨁N2*

Ni di ... ... ... ... N1 d1 Nn dn

3PC for Tree-ORAM

Access Step: SS[ X , N ]  d s.t. (N,d)  X P3 P1 P2 Ni

1 di 1

... ... ... ... Ni

2 di 2

... ... ... ... N1*, N2*, di

1 ⨁ di 2

for i s.t. ai = bi ai bi

= String Equality Problem: 2PC, Yao’s GC: knD bndw (+k exp’s) 2PC, arith.circ.: bndw--, rounds++ 2PC, DH-KE: n exp’s 3PC: Conditional Disclosure of Secrets [GIKM00], IT: 4nD bndw [AC’15], crypt: 2n(m+D) bndw  2x plain Client-Server ORAM 3PC, 2-PIR: +1 round, 2nm+nD bnds

k: sec.par. n: # tuples in path D: record size m: address size

3PC for Tree-ORAM

3PC Tool: Conditional OT on Shared Inputs P1 P2

P1 & P2 hold same PRF key k

di

1 ⨁ di 2

for i s.t. ai = bi di

1

... ... ... ... ai di

2

... ... ... bi ... [𝐵𝑗, 𝐷𝑗] = 𝑄𝑆𝐺

𝑙 𝑏𝑗

{ [𝐵𝑗, 𝑒𝑗1 ⨁𝐷𝑗] }𝑗 { [𝐶𝑗, 𝑒𝑗

2 ⨁𝐸𝑗] }𝑗

[𝐶𝑗, 𝐸𝑗] = 𝑄𝑆𝐺

𝑙 𝑐𝑗

P3

Problem: P3 learns position i where the ai = bi match occurs… 3PC sol.: P1 & P2 shift their input lists by (the same) random offset P3 can learn a pointer into the shifted list (= random in [n])

Path-ORAM: from 2PC to 3PC

Access Step via CDS a.k.a. SS-COT

Access (CA): SS[ X , N ]  d s.t. (N,d)  X Ev.1 (CT): SS[ X|N ]  SS[ T ] Ev.2 (CM): SS[ X , T ]  SS[ T(X) ] s.t. T(X) = XT(1),…,XT(n)

2PC-ORAM 3PC-ORAM

X = (X1,…,Xn) : tree path k : sec.par.

Acc: bndw: |X|k + ciph: |CA| + OT’s bndw: |X| Ev.1: ciph: |CT| ? Ev.2: ciph: |CM| ?

• 100x cheaper access
• Benefits:
• response time (eviction in background)
• access inherently sequential
• batch access with postponed eviction

3PC idea: Use Yao for CT, but make transition table T “uniform” s.t.: Ev.1: If P1 and P2 locally permute secret-shared list X then P3 can learn T in the clear Ev.2: SS[ X, T ]  SS[ T(x) ] is a simple variant of OT

3PC for Tree-ORAM

Eviction Steps P1 P2 P3

Ev.1 (CT): SS[ X|N ]  SS[ T ] Ev.2 (CM): SS[ X , T ]  SS[ T(X) ] s.t. T(X) = XT(1),…,XT(n)

(T) SS[X] SS[ T(X)]

• 1 message flow
• bndw: 4|X|
• no crypto ops

Uniform Transition Table T [AC’15]:

• T moves 2 items from node i to i+1
• P1&P2 shuffle each bucket
• P3 learns 2 first movable/empty

items after 2 random shifts

Path-ORAM: from 2PC to 3PC

Access (SS-COT), Ev.1 (Yao), Ev.2 (SS-OT)

Access (CA): SS[ X , N ]  d s.t. (N,d)  X Ev.1 (CT): SS[ X|N ]  SS[ T ] Ev.2 (CM): SS[ X , T ]  SS[ T(X) ] s.t. T(X) = XT(1),…,XT(n)

2PC-ORAM 3PC-ORAM

Acc: bndw: |X|k + ciph: |CA| +OT’s bndw: |X| Ev.1: ciph: |CT| ciph: |CT| + bndw: nmk Ev.2: ciph: |CM| bndw: |X| bndw: |X|k = n(m+|d|)k ≈ m2w  k ciph: m2w(+CT+ CM) +OT’s m2w  (+k) m2w  CT k=128, m=32 2PC: k=512 for =4  D = 16B  τ = 2  16 rounds 3PC: +k=384 for =256  D = 1KB  τ = 8  4 rounds

X = (X1,…,Xn) : tree path Xi = (addr.,data) k : sec.par. n = mw m : address size w : bucket width  = max(2τ,D/m) τ : addr. chunk size D : record size |d| ≈ m CT, CM: circ.comp. of CT,CM (=circuit size / input length)

Path-ORAM: from 2PC to 3PC

Access (SS-COT), Ev.1 (Yao), Ev.2 (SS-OT) 2PC-ORAM 3PC-ORAM

Acc: bndw: |X|k + ciph: |CA| +OT’s bndw: |X|

X = (X1,…,Xn) : tree path Xi = (addr.,data) k : sec.par. n = mw m : address size w : bucket width  = max(2τ,D/m) τ : addr. chunk size D : record size |d| ≈ m CT, CM: circ.comp. of CT,CM (=circuit size / input length)

Ev.1: ciph: |CT| ciph: |CT| + bndw: nmk Ev.2: ciph: |CM| bndw: |X| bndw: |X|k = n(m+|d|)k ≈ m2w  k ciph: m2w(+CT+ CM) m2w  (+k) m2w  CT AC’15: 3PC with simplistic eviction: very low CT, w=O(m+k) ≈100 WCS’15: “Circuit-ORAM”: 2PC, greedy eviction, higher CT, w=3, CM=2 New work: 2PC with same eviction as in Circuit-ORAM, slightly higher CT

Circuit ORAM Eviction:

greedy: “deepest goes first”

Making it Uniform: 6 7 8 5 4 3 2 1 6 7 8 5 4 3 2 1 5 8 2 7 1 4 6 3

Randomly Permute

Circuit-ORAM Eviction [WCS’15]

From 2PC to 3PC : Making Transition Table T Uniform

• 1. Fill-in jumps so T is a cycle
• 2. Reveal (T)(i) instead of T(i) for $ 
• permute outside Garb.Circ.
• +2 rounds for (de-)mask/permute

Path-ORAM: 2PC vs. 3PC

2PC-ORAM: 3PC-ORAM:

k : sec.par (=128). m : address size w : bucket width (=3)  = max(2τ,D/m)=2τ τ : addr. chunk size D : record size (=4B) CT (= ?) CM (=2) : circ.comp. of CT,CM (=circuit size / input length)

bndw= m2w  k |circ|= m2w(+CT+ CM) bndw = m2w  (+k) |circ|= m2w  CT

CORAM: 2PC [WCS’15]: higher CT, w=3, CM=2 3PORAM: 3PC [AC’15]: low CT, w=O(m+k) ≤ 128 3PCORAM: 3PC [new]: same CT (~1.2x) and w as in CORAM

m: address size

3PC: ~10 x

Path-ORAM: 2PC vs. 3PC

2PC-ORAM: 3PC-ORAM:

bndw= m2w  k |circ|= m2w(+CT+ CM) bndw = m2w  (+k) |circ|= m2w  CT

CORAM: 2PC [WCS’15]: higher CT, w=3, CM=2 3PORAM: 3PC [AC’15]: low CT, w=O(m+k) ≤ 128 3PCORAM: 3PC [new]: same CT (~1.2x) and w as in CORAM

m: address size

3PC: 5-10x

k : sec.par (=128). m : address size w : bucket width (=3)  = max(2τ,D/m)=2τ τ : addr. chunk size D : record size (=4B) CT (= ?) CM (=2) : circ.comp. of CT,CM (=circuit size / input length)

Path-ORAM: 2PC vs. 3PC

2PC-ORAM: 3PC-ORAM:

bndw= m2w  k |circ|= m2w(+CT+ CM) bndw = m2w  (+k) |circ|= m2w  CT

m: address size

3PC:

Larger τ  2x

• 1.5x for CPU
• 2-3x in rounds

Pipelining  2x

3PCORAM: 2PC [WCS’15]: higher CT, w=3, CM=2 3PORAM: 3PC [AC’15]: low CT, w=O(m+k) ≤ 128 3PCORAM: 3PC [new]: same CT (~1.2x) and w as in CORAM

k : sec.par (=128). m : address size w : bucket width (=3)  = max(2τ,D/m)=2τ τ : addr. chunk size D : record size (=4B) CT (= ?) CM (=2) : circ.comp. of CT,CM (=circuit size / input length)

Examples:



pipelining, batched access with postponed eviction, parallel access



MPC for other data-structures



general (t,n): the “P1/P2 permute & P3 gets outputs” idea doesn’t scale...



malicious security? covert security?



secure-computation-friendly multi-server ORAM ([LO’14]: client uses PRF)

Questions, Directions